What is Annex SL in ISO 9001-2015?

Annex SL is a platform upon which all the ISO management system standards rest. Yea, many more are there yet to reach the platform.  Some already took their places, including ISO 9001. With the September 2015 release, ISO 9001 also became a member in this Annex family.

Through this post I’m trying to analyze the change in perspectives/added advantages introduced in the ISO family with the introduction of Annex SL.

Annex SL- An Integrated Management System Approach

It was pretty difficult to manage the parallel show inside an organization with multiple management system standards. And difficult for the auditors too. Even though the standards like ISO 9001, ISO 14001, ISO 27001 have many common elements, there were described and organized differently. Thus it was a cumbersome task for organizations to implement them together. Now the similarities across the standards are framed under a common umbrella and removed the conflicts across the standards. Thus Annex- SL makes the creation of an integrated management system much easier.

Annex SL – A new template for ISO management system standards

Annex SL is written primarily as a guide to who creates new standards. The core of Annex SL consists of 8 clauses and 4 appendices. (Illustrated in the below figure)

It is said that every ISO standards should adhere to the clause structure defined in Annex SL. Hence in fact, with this framework ISO itself got a template to build new standards. To address industry specific needs, additional requirements for discipline specific sectors will be added to this generic framework.

Annex SL – Easier for Users

Annex SL provides an identical structure, terms and common concepts for all ISO management system standards. This will ensure consistency among revised and future management system standards. Hence users will find it easier to read and understand the standards.

Annex SL- Easier for Auditors

Auditors will have a generic set of requirements as a guideline to follow irrespective of the discipline. This will make their job much easier.

 Annex SL – Is it not a cost saver..?

Definitely Yes, It saves pretty much time as well as cost.  It helps to have an integrated management system eliminating the duplication efforts and conflicts within the multiple standards.  Conflicts always call for additional resources. If the conflicts are reduced, rework and in turn resources are reduced. Also it is pretty much clear that the maintenance of an integrated management system is always economical compared to the maintenance of multiple separate management systems.

Annex SL – The business focus

When different management streams are integrated, it becomes easier for the senior management to set their vision mission, goals etc. Also the integration helps the management to streamline the entire business operation.

annex SL

In short, Annex SL is a lot more than just a common framework for Management System Standards. It streamlines the creation of new ISO standard as well as provides an option for integrating multiple management system requirements.

Why did ISO 9001-2008 standard changed to ISO 9001-2015 version? What will be your answer in short if such a question is asked by your senior management or corporate people? You can have a detail PowerPoint presentation to explain the so called changes. But in fifteen minutes, how will you make them understand upon the major changes?

Point 1: Integrate with other management system standardsPicture2

When there are many ISO management system standards in an organization, wouldn’t be easier if they are explained and organized under a common umbrella? Wouldn’t be easier if the redundancies among the standards are removed? There have been many complaints heard while an organization is managing its system with a number of ISO standards like ISO 9001, ISO 14001, ISO 27001 etc. Even though these standards had many common features, they were organized differently and thus created a great problem for organizations which are trying to implement multiple standards.

The solution introduced is to have a common format across these standards – “Annex- SL“. All ISO standards are updated/being updated based on this high level structure. This helps to have a common language across all ISO standards, thereby increasing the consistency. ISO 9001-2015 will not be the first ISO management standard to employ Annex SL, nor will it is the last.

Annex- SL streamlines the creation of new ISO standard as well as provides the option for integrating multiple management system requirements.

Point 2: Risk based thinking

Picture3Risk management was implicitly addressed in the earlier versions of ISO 9001. The new ISO 9001-2015 standard explicitly addresses the same. Even though preventive and corrective actions were a part of ISO 9001:2008, it got limited to the quality management process. The new ISO 9001-2015 revision focuses on risk management at the global level.

In addition to identification of risks at the organizational level, the new ISO standard expects organizations to address opportunities for improvement based on the risk analysis.

Now when you are going into a detailed presentation you can have a number of slides detailing the below changes

  • Increased involvement of the leadership team
  • Integration of the QMS into organization’s business processes
  • Alignment with strategic direction
  • Documented information instead of ‘documents and records’
  • 10-clause structure
  • Clearer understanding of the organization’s context
  • Etc etc.

NB: All ISO standards are reviewed every five years to check the necessity of a revision, to keep it current and relevant for the marketplace. ISO 9001:2015 will replace ISO 9001:2008. The revised ISO 9001 was published on Wednesday 23rd September 2015. There is a period of 3 years transition period. Certifications to ISO 9001:2008 will no longer be valid after September 2018.

CMMI appraisal method is known as SCAMPI. Result of appraisal may include a rating as demanded by the appraisal sponsor.

  • In a continuous representation
    • Rating is a “capability level profile” (e.g. Requirements Development Process Area is at Capability level 3).
  • In a staged representation
    • Rating is a “maturity level rating” (e.g. maturity level 2).

Maturity level rating is an easier way for organizations to compare themselves with other organizations.

But with capability level rating, how is the comparison possible? If each organization selects the same process areas, Capability level profiles can be used for comparison. But still there are some limits for the same.

Is there a way to convert the generated capability level rating to maturity level rating?

Yes, There is. It is known as Equivalent staging. Equivalent staging enables an organization using the continuous representation to convert a capability level profile to the associated maturity level rating.

How is this translation possible?

Before knowing the translation, let’s see how a capability profile is maintained? It could be a graph of process areas and their associated capability level (achieved as well as targeted), as shown below. (The label ‘1, 2, 3 ‘ in the Y axis represents capability level1, capability level2, capability level 3 respectively).

Combined Target and Achievement Profile

Combined Target and Achievement Profile

In the graph all the Process Areas (PAs) are at Capability Level 1 (CL 1) except the PA, Configuration Management (CM).

There are two types of capability level profiles, as listed below

  • An achievement profile represents the current achieved capability level in selected process areas
  • A target profile represents the capability levels that an organization wishes to achieve.

Maintaining capability level profiles is advisable when using the continuous representation as it aids an organization to plan and track its progress for each selected process area.

Now back to the topic, how equivalent staging is done..?

The most effective way to represent equivalent staging is to provide a sequence of target profiles for each PA, which is equivalent to a maturity level rating (of the staged representation). The result is a target staging that is equivalent to the maturity levels of the staged representation. Below figure shows a summary of the target profiles that must be achieved when using the continuous representation to be equivalent to maturity levels 2 through 5. Each colored area in the capability level columns represents a target profile that is equivalent to a maturity level.

Target Profiles and Equivalent StagingThe following rules summarize equivalent staging:

To achieve maturity level 2, all process areas assigned to maturity level 2 must achieve capability level 2 or 3.

To achieve maturity level 3, all process areas assigned to maturity levels 2 and 3 must achieve capability level 3.

To achieve maturity level 4, all process areas assigned to maturity levels 2, 3, and 4 must achieve capability level 3.

To achieve maturity level 5, all process areas must achieve capability level 3.

In short, Equivalent staging allows the unidirectional translation of assessment results from the continuous to the staged representation. Such staging permits benchmarking of progress among organizations.

To know more on equivalent staging in level 4 and 5, please read How can you achieve CMMI High Maturity in a continuous Representation..?

In CMMI, have you noticed the evolutionary path for Process Areas? Infact CMMI Maturity Levels are defined as evolutionary stages of process improvement.

An evolutionary process is a process whose stages consist of expanding increments of the defined process.

Watts Humphrey’s Capability Maturity Model (CMM) was published in 1988. According to him organizations mature their processes in stages based on solving process problems in a specific order. Humphrey based his approach on the staged evolution of a system of software development practices within an organization, rather than measuring the maturity of each separate development process independently.

CMMs focus on improving processes in an organization. CMMI describes an evolutionary improvement path for the processes from ad hoc, immature processes to disciplined and mature processes with improved quality and effectiveness.

In some Process Areas the evolutionary path is very evident. It is detailed below.

Evolutionary paths are expected to be one of the new features in CMMI Next Generation

Measurement and Analysis starts at Maturity Level 2 and becomes more quantitative and statistical analysis at High Maturity levels. Even at Maturity level 3 Verification process area and Validation process area demand analysis of peer review data (SP 2.3 in VER) and validation results(SP 2.2 in VAL).

Requirements Management at Maturity level 2 talks about ensuring alignment between project work products and requirements through reviews and all (SP 1.5). Verification process area at Maturity Level 3 supports this process.

Risk Management begins at Maturity Level 2 (Process Area- Project planning SP 2.2 and Project Monitoring and Control SP 1.3) and becomes robust at Maturity Level 3.

Project Planning process area talks about planning for knowledge and skills needed to perform the project. This is aided by the Organizational Training process area in Maturity level 3 by which people can perform their roles effectively and efficiently.

Project Monitoring and Control talks about issue analysis at Maturity level 2 which becomes much more elaborated at ML5 in Causal Analysis and Resolution Process Area

The Process Area Organizational Process Focus is treated as a younger brother of the PA -Organizational Performance Management

Integrated Project Management at maturity Level 3 talks about establishing an integrated and defined process that is tailored from the organization’s set of standard processes. And Quantitative Project Management at Maturity level 4 talks about composing a defined process quantitatively to help the project to achieve the project’s quality and process performance objectives.

The below picture illustrates the Evolutionary path of the mentioned Process Areas

Evolutionary PAs

“Walking on water and developing software from a specification are easy if both are frozen.” –  Edward Berard

Baseline means ‘A Line which is the Base’. The word baseline may refer to surveying, typography, budgeting, pharmacology, Configuration Management, calculations etc.

In an IT industry, baseline mainly implies

  • A Configuration Baseline – A configuration of software, hardware or a process that is established and documented as a point of reference
  • A Process Performance Baseline (PPB) – A datum used as the basis for calculation or comparison

Configuration baseline

As and when a work product is created and ready for review, it should be labeled as ‘ready for review v0.9’. (The version number may change based on the project’s strategy). And at the same time the work product should be available in the configuration tool. Once the review, rework and verification are completed the work product is ready for approval. There should be an identified approving authority for each work product. After the approval, the work product is baselined. (The baseline string can be ‘baselined v1.0’). Whenever a change is triggered in the work product, initially an impact analysis is triggered. Impact analysis helps to understand the change in cost, schedule, competency requirements, affected work products etc. The Change Control Board (as defined in the project plan) should approve the change in order to update the work product. After update, the work product undergoes review, approval and baselining process ( If the change is a minor, the review process can be skipped as defined in the project plan). The baseline string can be ‘baselined v1.1’or ‘baselined v2.0’depending on whether the change is a minor or major. All the change requests should be recorded and tracked for future reference.

If there is no configuration management, many people have to work on a work product that is altering. It creates copy-over problem, which causes versions of files to be lost. The number of uncontrolled copies of files makes it difficult to determine where the latest version really exists or not.

A configuration baseline is the configuration of a service, product or infrastructure that has been formally reviewed and approved, that thereafter can be changed only through formal change mechanisms.

Process Performance Baseline

Project data is recorded in the organizational metric repository. And from the data, performance baselines are created, in most cases the center line and upper and lower control limits from a control chart on that process execution. These baselines are used as a benchmark for comparing actual process performance against expected process performance and are revisited over a defined frequency.

These baselines are used

  • In project estimation process
  • While setting Objectives for the project
  • As inputs to the process performance models

Baseline helps to monitor current project performance and also to improve the accuracy of future estimates.

In short

A Configuration baseline shows the current state of a configuration item while a Process Performance Baseline shows the current performance of a process.

 

Have you ever wondered about the difference between Acceptance criteria and Requirements?

Have you ever thought why they need to be documented separately?

Requirements and acceptance criteria seem to be the same, but it’s not correct.

Requirements are at a higher level while acceptance criteria at a lower level, more towards the delivery point. Requirements and acceptance criteria would seem to be the same. In an ideal world acceptance criteria may be equivalent to requirements. But in the real world a lot of changes happen during the course of time.

Requirements are what you are supposed to do. Acceptance criteria are agreed upon measures to call a project “done.” Acceptance Criteria are a set of statements, each with a clear pass/fail result. Testability has a close connection with acceptance criteria.

Let us work out a simple example.

I wish to buy a new watch by this month end. It should have a broad silver strap with a round face. Also it needs to be an alarm watch with multiple time zones. Its cost should be less than 100$. And finally it should suit my style. These are my specifications or requirements pertaining to the watch.

Now what are my acceptance criteria? Do I need to consider all of those requirements as acceptance criteria? Or is there anything more that I need to consider while choosing my acceptance criteria?

I define my acceptance criteria as

‘I have to go to a watch store (not online) and purchase the watch. I need it, if and only if I could purchase it before this month end.’

Here, the above stated acceptance criteria are independent of requirements. If I add below more statements to the above, then the acceptance criteria becomes related to requirements.

‘It should have broad silver strap with a round face. There should be a provision to set alarm. It should be possible to alter time zones. And its prize needs to be less than 100$’

So what are the acceptance criteria?

It could vary based on how the user defines it. It is possible for a developer to complete only a few of the requirements, and still meet the acceptance criteria to finish the project. Basically it is a set of agreements which needs to be satisfied for a user to accept the product. These agreements are not static. It varies whenever there is a change in condition. Below are some examples of change in conditions which leads to the change in acceptance criteria over the course of time.

  • Budget changes
  • Requirements change
  • Schedule changes
  • Competency changes

In short, it is not necessary to have all the requirements in acceptance criteria. In some case some requirements (the so called “nice to have” requirements) may be cut down and be considered in next iteration. Sometimes acceptance criteria may be totally independent of requirements.

 

CMMI Version 1.3 was released on November 1, 2010. All the three constellations of CMMI – SVC, ACQ and Dev, got released in the same period, considering the similarities across them.

How good it would be, if all the three constellations were combined into a single model..? Definitely it would have eased the process of CMMI compliance as well as appraisal.

Yes, the realization is not far ahead. CMMI institute has started to redefine and rewrite the CMMI. ’CMMi NextGen’ is the project currently underway at the CMMI institute. ‘Next Gen will be combining ACQ, DEV, SVC, P-CMM and DMM into a single model. NextGen won’t be a simple upgrade like v1.1 to v1.2, or v1.2 to v1.3. It is a “re-molding” of the entire model.

A set of working groups has been formed under this project to define the future of CMMI.  They work on

  • Architecture
  • Current needs
  • Implementation
  • Performance
  • Plain language
  • Simplify model and appraisal method
  • System
  • Trainings

Each working group consists of “authors” and “reviewers.” Refer more on working groups at http://partners.clearmodel.com/volunteer-cmmi-next-generation-working-group/. CMMI institute is collecting requirements and recommendations. Since the change being major, we will have to wait for a couple of years to have the next generation in place.

Next Generation Project Information Portal is now available on Partner Resource Centre.  All Partner BPOCs(Business Point Of Contacts) and Certified Individuals will have access to the information about the project through this portal.

 

Causal Analysis and Resolution (CAR) helps to identify and rectify the root cause of a defect or problem. It can be applied to any process area. Analysis can be qualitative, limited to a fish bone diagram or so. And at the same time it can be more advanced involving quantitative data. The steps below show how to quantify the performance of CAR activities.

  1. Define a measurable parameter based on the root cause of the issue identified.
  2. Determine solution for fixing the root cause.
  3. Measure the performance of the parameter before and after implementing the change.
  4. Perform some hypothetical tests like 2 sample T test or paired T test on the measured parameter.
  5. Compare the predicted performance and actual performance of the data.
  6. If there is no statistically significant difference between the predicted performance and actual performance, it can be assumed that the changes are effective.
  7. If there is a statistically significant difference between the predicted performance and actual performance, it can be assumed that the changes are not effective and another CAR needs to be done.

Auditing is sampling. The choice of right sample is crucial for the success of a good audit. Scope of audit also needs to be well defined before starting the audit. Normally evidences of non-conformances are collected through document review, observation, interviews etc. In addition there are certain advanced procedures to conduct an audit.

Physical Auditing                              : Usually auditors limit themselves after

Nowadays there are many process improvement techniques and tools around us. It is a different thing whether we use them in the right way or not. Some commonly used models in these days are CMMI, ISO 27001, ISO 9001, ITIL, 6 Sigma etc. When the number of process improvement models and techniques are increasing, the decision of picking the right stuff for the organization becomes really crucial. In addition the choice of order and priority selection may be an aspect which becomes highly important. First of all organization needs to analyze which are their painful areas. Then based on the same, they need to evaluate different models and choose the best fit. Definitely organization decision of selecting a standard could be purely customer driven too.

Once the standard is picked and achieved compliance to it, then many organizations go for formal evaluation by certification bodies. Proper care should be given while selecting the certification agencies too, as there are many. They need to be authenticated agencies. While evaluating several certification bodies it needs to be remembered that the cheapest could be more expensive in the long run if its auditing is below standard.